summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity/openssh/openssh
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-connectivity/openssh/openssh')
-rw-r--r--meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch61
-rw-r--r--meta/recipes-connectivity/openssh/openssh/auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch30
-rw-r--r--meta/recipes-connectivity/openssh/openssh/init115
-rw-r--r--meta/recipes-connectivity/openssh/openssh/nostrip.patch20
-rw-r--r--meta/recipes-connectivity/openssh/openssh/openssh-CVE-2011-4327.patch29
-rw-r--r--meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2532.patch22
-rw-r--r--meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch114
-rw-r--r--meta/recipes-connectivity/openssh/openssh/openssh-ptest-fix-sshconnect.patch57
-rwxr-xr-xmeta/recipes-connectivity/openssh/openssh/run-ptest7
-rw-r--r--meta/recipes-connectivity/openssh/openssh/ssh_config46
-rw-r--r--meta/recipes-connectivity/openssh/openssh/sshd10
-rw-r--r--meta/recipes-connectivity/openssh/openssh/sshd.socket10
-rw-r--r--meta/recipes-connectivity/openssh/openssh/sshd@.service11
-rw-r--r--meta/recipes-connectivity/openssh/openssh/sshd_config119
-rw-r--r--meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service10
-rw-r--r--meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd2
16 files changed, 663 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch b/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch
new file mode 100644
index 0000000..07af667
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch
@@ -0,0 +1,61 @@
1Adjust test cases to work with busybox.
2
3- Replace dd parameter "obs" with "bs".
4- Replace "head -<num>" with "head -n <num>".
5
6Signed-off-by: Maxin B. John <maxin.john@enea.com>
7Upstream-Status: Pending
8
9--- a/regress/cipher-speed.sh 2012-06-30 07:08:53.000000000 +0200
10+++ b/regress/cipher-speed.sh 2013-02-15 11:30:20.670022055 +0100
11@@ -26,7 +26,7 @@
12 echon "$c/$m:\t"
13 ( ${SSH} -o 'compression no' \
14 -F $OBJ/ssh_proxy -2 -m $m -c $c somehost \
15- exec sh -c \'"dd of=/dev/null obs=32k"\' \
16+ exec sh -c \'"dd of=/dev/null bs=32k"\' \
17 < ${DATA} ) 2>&1 | getbytes
18
19 if [ $? -ne 0 ]; then
20@@ -42,7 +42,7 @@
21 echon "$c:\t"
22 ( ${SSH} -o 'compression no' \
23 -F $OBJ/ssh_proxy -1 -c $c somehost \
24- exec sh -c \'"dd of=/dev/null obs=32k"\' \
25+ exec sh -c \'"dd of=/dev/null bs=32k"\' \
26 < ${DATA} ) 2>&1 | getbytes
27 if [ $? -ne 0 ]; then
28 fail "ssh -1 failed with cipher $c"
29--- a/regress/transfer.sh 2003-09-04 06:54:40.000000000 +0200
30+++ b/regress/transfer.sh 2013-02-15 11:25:34.666411185 +0100
31@@ -18,7 +18,7 @@
32 for s in 10 100 1k 32k 64k 128k 256k; do
33 trace "proto $p dd-size ${s}"
34 rm -f ${COPY}
35- dd if=$DATA obs=${s} 2> /dev/null | \
36+ dd if=$DATA bs=${s} 2> /dev/null | \
37 ${SSH} -q -$p -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
38 if [ $? -ne 0 ]; then
39 fail "ssh cat $DATA failed"
40--- a/regress/yes-head.sh 2005-11-28 06:41:03.000000000 +0100
41+++ b/regress/yes-head.sh 2013-02-15 11:55:11.413715068 +0100
42@@ -4,7 +4,7 @@
43 tid="yes pipe head"
44
45 for p in 1 2; do
46- lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)`
47+ lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -n 2000"' | (sleep 3 ; wc -l)`
48 if [ $? -ne 0 ]; then
49 fail "yes|head test failed"
50 lines = 0;
51--- a/regress/key-options.sh 2008-07-04 09:08:58.000000000 +0200
52+++ b/regress/key-options.sh 2013-02-15 12:06:05.109486098 +0100
53@@ -54,7 +54,7 @@
54 fi
55
56 sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys
57- from=`head -1 $authkeys | cut -f1 -d ' '`
58+ from=`head -n 1 $authkeys | cut -f1 -d ' '`
59 verbose "key option proto $p $from"
60 r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo true'`
61 if [ "$r" = "true" ]; then
diff --git a/meta/recipes-connectivity/openssh/openssh/auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch b/meta/recipes-connectivity/openssh/openssh/auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch
new file mode 100644
index 0000000..ba13cd1
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch
@@ -0,0 +1,30 @@
1Upstream-Status: Pending
2
3Subject: auth2-none.c: avoid authenticate empty passwords to mess up with PAM
4
5If UsePAM, PermitEmptyPasswords, PasswordAuthentication are enabled. The ssh daemon
6will try to authenticate an empty password, resulting in login failures of any user.
7If PAM is enabled, then we should leave the task of password authentication to PAM.
8
9Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
10
11---
12 auth2-none.c | 2 +-
13 1 file changed, 1 insertion(+), 1 deletion(-)
14
15diff --git a/auth2-none.c b/auth2-none.c
16index c8c6c74..b48b2fd 100644
17--- a/auth2-none.c
18+++ b/auth2-none.c
19@@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt)
20 {
21 none_enabled = 0;
22 packet_check_eom();
23- if (options.permit_empty_passwd && options.password_authentication)
24+ if (options.permit_empty_passwd && options.password_authentication && !options.use_pam)
25 return (PRIVSEP(auth_password(authctxt, "")));
26 return (0);
27 }
28--
291.7.9.5
30
diff --git a/meta/recipes-connectivity/openssh/openssh/init b/meta/recipes-connectivity/openssh/openssh/init
new file mode 100644
index 0000000..70d4a34
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/init
@@ -0,0 +1,115 @@
1#! /bin/sh
2set -e
3
4PIDFILE=/var/run/sshd.pid
5
6# source function library
7. /etc/init.d/functions
8
9# /etc/init.d/ssh: start and stop the OpenBSD "secure shell" daemon
10
11test -x /usr/sbin/sshd || exit 0
12( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0
13
14# /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS
15if test -f /etc/default/ssh; then
16 . /etc/default/ssh
17fi
18
19[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh
20mkdir -p $SYSCONFDIR
21
22HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key
23HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key
24HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key
25HOST_KEY_ED25519=$SYSCONFDIR/ssh_host_ed25519_key
26
27check_for_no_start() {
28 # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists
29 if [ -e $SYSCONFDIR/sshd_not_to_be_run ]; then
30 echo "OpenBSD Secure Shell server not in use ($SYSCONFDIR/sshd_not_to_be_run)"
31 exit 0
32 fi
33}
34
35check_privsep_dir() {
36 # Create the PrivSep empty dir if necessary
37 if [ ! -d /var/run/sshd ]; then
38 mkdir /var/run/sshd
39 chmod 0755 /var/run/sshd
40 fi
41}
42
43check_config() {
44 /usr/sbin/sshd -t || exit 1
45}
46
47check_keys() {
48 # create keys if necessary
49 if [ ! -f $HOST_KEY_RSA ]; then
50 echo " generating ssh RSA key..."
51 ssh-keygen -q -f $HOST_KEY_RSA -N '' -t rsa
52 fi
53 if [ ! -f $HOST_KEY_ECDSA ]; then
54 echo " generating ssh ECDSA key..."
55 ssh-keygen -q -f $HOST_KEY_ECDSA -N '' -t ecdsa
56 fi
57 if [ ! -f $HOST_KEY_DSA ]; then
58 echo " generating ssh DSA key..."
59 ssh-keygen -q -f $HOST_KEY_DSA -N '' -t dsa
60 fi
61 if [ ! -f $HOST_KEY_ED25519 ]; then
62 echo " generating ssh ED25519 key..."
63 ssh-keygen -q -f $HOST_KEY_ED25519 -N '' -t ed25519
64 fi
65}
66
67export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"
68
69case "$1" in
70 start)
71 check_for_no_start
72 echo "Starting OpenBSD Secure Shell server: sshd"
73 check_keys
74 check_privsep_dir
75 start-stop-daemon -S -p $PIDFILE -x /usr/sbin/sshd -- $SSHD_OPTS
76 echo "done."
77 ;;
78 stop)
79 echo -n "Stopping OpenBSD Secure Shell server: sshd"
80 start-stop-daemon -K -p $PIDFILE -x /usr/sbin/sshd
81 echo "."
82 ;;
83
84 reload|force-reload)
85 check_for_no_start
86 check_keys
87 check_config
88 echo -n "Reloading OpenBSD Secure Shell server's configuration"
89 start-stop-daemon -K -p $PIDFILE -s 1 -x /usr/sbin/sshd
90 echo "."
91 ;;
92
93 restart)
94 check_keys
95 check_config
96 echo -n "Restarting OpenBSD Secure Shell server: sshd"
97 start-stop-daemon -K -p $PIDFILE --oknodo -x /usr/sbin/sshd
98 check_for_no_start
99 check_privsep_dir
100 sleep 2
101 start-stop-daemon -S -p $PIDFILE -x /usr/sbin/sshd -- $SSHD_OPTS
102 echo "."
103 ;;
104
105 status)
106 status /usr/sbin/sshd
107 exit $?
108 ;;
109
110 *)
111 echo "Usage: /etc/init.d/ssh {start|stop|status|reload|force-reload|restart}"
112 exit 1
113esac
114
115exit 0
diff --git a/meta/recipes-connectivity/openssh/openssh/nostrip.patch b/meta/recipes-connectivity/openssh/openssh/nostrip.patch
new file mode 100644
index 0000000..33111f5
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/nostrip.patch
@@ -0,0 +1,20 @@
1Disable stripping binaries during make install.
2
3Upstream-Status: Inappropriate [configuration]
4
5Build system specific.
6
7Signed-off-by: Scott Garman <scott.a.garman@intel.com>
8
9diff -ur openssh-5.6p1.orig/Makefile.in openssh-5.6p1/Makefile.in
10--- openssh-5.6p1.orig/Makefile.in 2010-05-11 23:51:39.000000000 -0700
11+++ openssh-5.6p1/Makefile.in 2010-08-30 16:49:54.000000000 -0700
12@@ -29,7 +29,7 @@
13 RAND_HELPER=$(libexecdir)/ssh-rand-helper
14 PRIVSEP_PATH=@PRIVSEP_PATH@
15 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
16-STRIP_OPT=@STRIP_OPT@
17+STRIP_OPT=
18
19 PATHS= -DSSHDIR=\"$(sysconfdir)\" \
20 -D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2011-4327.patch b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2011-4327.patch
new file mode 100644
index 0000000..30c11cf
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2011-4327.patch
@@ -0,0 +1,29 @@
1openssh-CVE-2011-4327
2
3A security flaw was found in the way ssh-keysign,
4a ssh helper program for host based authentication,
5attempted to retrieve enough entropy information on configurations that
6lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would
7be executed to retrieve the entropy from the system environment).
8A local attacker could use this flaw to obtain unauthorized access to host keys
9via ptrace(2) process trace attached to the 'ssh-rand-helper' program.
10
11https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4327
12http://www.openssh.com/txt/portable-keysign-rand-helper.adv
13
14Upstream-Status: Pending
15
16Signed-off-by: Li Wang <li.wang@windriver.com>
17--- a/ssh-keysign.c
18+++ b/ssh-keysign.c
19@@ -170,6 +170,10 @@
20 key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
21 key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY);
22 key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
23+ if (fcntl(key_fd[0], F_SETFD, FD_CLOEXEC) != 0 ||
24+ fcntl(key_fd[1], F_SETFD, FD_CLOEXEC) != 0 ||
25+ fcntl(key_fd[2], F_SETFD, FD_CLOEXEC) != 0)
26+ fatal("fcntl failed");
27
28 original_real_uid = getuid(); /* XXX readconf.c needs this */
29 if ((pw = getpwuid(original_real_uid)) == NULL)
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2532.patch b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2532.patch
new file mode 100644
index 0000000..3deaf3f
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2532.patch
@@ -0,0 +1,22 @@
1Upstream-Status: Backport
2
3Fix for CVE-2014-2532
4
5Backported from openssh-6.6p1.tar.gz
6
7Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
8---
9--- a/session.c
10+++ b/session.c
11@@ -955,6 +955,11 @@
12 u_int envsize;
13 u_int i, namelen;
14
15+ if (strchr(name, '=') != NULL) {
16+ error("Invalid environment variable \"%.100s\"", name);
17+ return;
18+ }
19+
20 /*
21 * If we're passed an uninitialized list, allocate a single null
22 * entry before continuing.
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch
new file mode 100644
index 0000000..674d186
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch
@@ -0,0 +1,114 @@
1Upstream-Status: Backport
2
3This CVE could be removed if openssh is upgrade to 6.6 or higher.
4Below are some details.
5
6Attempt SSHFP lookup even if server presents a certificate
7
8Reference:
9https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513
10
11If an ssh server presents a certificate to the client, then the client
12does not check the DNS for SSHFP records. This means that a malicious
13server can essentially disable DNS-host-key-checking, which means the
14client will fall back to asking the user (who will just say "yes" to
15the fingerprint, sadly).
16
17This patch means that the ssh client will, if necessary, extract the
18server key from the proffered certificate, and attempt to verify it
19against the DNS. The patch was written by Mark Wooding
20<mdw@distorted.org.uk>. I modified it to add one debug2 call, reviewed
21it, and tested it.
22
23Signed-off-by: Matthew Vernon <matthew@debian.org>
24Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
25---
26--- a/sshconnect.c
27+++ b/sshconnect.c
28@@ -1210,36 +1210,63 @@ fail:
29 return -1;
30 }
31
32+static int
33+check_host_key_sshfp(char *host, struct sockaddr *hostaddr, Key *host_key)
34+{
35+ int rc = -1;
36+ int flags = 0;
37+ Key *raw_key = NULL;
38+
39+ if (!options.verify_host_key_dns)
40+ goto done;
41+
42+ /* XXX certs are not yet supported for DNS; try looking the raw key
43+ * up in the DNS anyway.
44+ */
45+ if (key_is_cert(host_key)) {
46+ debug2("Extracting key from cert for SSHFP lookup");
47+ raw_key = key_from_private(host_key);
48+ if (key_drop_cert(raw_key))
49+ fatal("Couldn't drop certificate");
50+ host_key = raw_key;
51+ }
52+
53+ if (verify_host_key_dns(host, hostaddr, host_key, &flags))
54+ goto done;
55+
56+ if (flags & DNS_VERIFY_FOUND) {
57+
58+ if (options.verify_host_key_dns == 1 &&
59+ flags & DNS_VERIFY_MATCH &&
60+ flags & DNS_VERIFY_SECURE) {
61+ rc = 0;
62+ } else if (flags & DNS_VERIFY_MATCH) {
63+ matching_host_key_dns = 1;
64+ } else {
65+ warn_changed_key(host_key);
66+ error("Update the SSHFP RR in DNS with the new "
67+ "host key to get rid of this message.");
68+ }
69+ }
70+
71+done:
72+ if (raw_key)
73+ key_free(raw_key);
74+ return rc;
75+}
76+
77 /* returns 0 if key verifies or -1 if key does NOT verify */
78 int
79 verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
80 {
81- int flags = 0;
82 char *fp;
83
84 fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
85 debug("Server host key: %s %s", key_type(host_key), fp);
86 free(fp);
87
88- /* XXX certs are not yet supported for DNS */
89- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
90- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
91- if (flags & DNS_VERIFY_FOUND) {
92-
93- if (options.verify_host_key_dns == 1 &&
94- flags & DNS_VERIFY_MATCH &&
95- flags & DNS_VERIFY_SECURE)
96- return 0;
97-
98- if (flags & DNS_VERIFY_MATCH) {
99- matching_host_key_dns = 1;
100- } else {
101- warn_changed_key(host_key);
102- error("Update the SSHFP RR in DNS with the new "
103- "host key to get rid of this message.");
104- }
105- }
106- }
107+ if (check_host_key_sshfp(host, hostaddr, host_key) == 0)
108+ return 0;
109
110 return check_host_key(host, hostaddr, options.port, host_key, RDRW,
111 options.user_hostfiles, options.num_user_hostfiles,
112--
1131.7.9.5
114
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-ptest-fix-sshconnect.patch b/meta/recipes-connectivity/openssh/openssh/openssh-ptest-fix-sshconnect.patch
new file mode 100644
index 0000000..0913701
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/openssh-ptest-fix-sshconnect.patch
@@ -0,0 +1,57 @@
1Fixed openssh ptest
2
3ptests for openssh, apart from a lot of .sh scripts, also
4require 2 executables to be cross-compiled for the target
5and deployed there, that will be called from the test
6scripts.
7
8Those 2 files were not built when cross-compiling
9(Makefile target all:), so I added them to the build,
10under the target all_test.
11
12This new make target is intended to be run from
13do_compile_ptest(), that builds everything needed for
14performing the ptests.
15
16Because both these 2 executables required for ptest
17are linked with libssh (LDFLAGS += -lssh), I also
18added it as dependency for each of them.
19
20Upstream-status: Inappropriate
21
22Signed-off-by: Liviu Gheorghisan <liviu.gheorghisan@enea.com>
23---
24--- a/Makefile.in 2014-12-10 16:19:37.513373454 +0100
25+++ b/Makefile.in 2014-12-10 16:25:23.262764227 +0100
26@@ -130,6 +130,8 @@ FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fix
27
28 all: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
29
30+all_test: regress/modpipe$(EXEEXT) regress/setuid-allowed$(EXEEXT)
31+
32 $(LIBSSH_OBJS): Makefile.in config.h
33 $(SSHOBJS): Makefile.in config.h
34 $(SSHDOBJS): Makefile.in config.h
35@@ -394,18 +396,18 @@ uninstall:
36 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
37 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
38
39-regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
40+regress/modpipe$(EXEEXT): libssh.a
41 [ -d `pwd`/regress ] || mkdir -p `pwd`/regress
42 [ -f `pwd`/regress/Makefile ] || \
43 ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
44- $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
45+ $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $(srcdir)/regress/modpipe.c \
46 $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
47
48-regress/setuid-allowed$(EXEEXT): $(srcdir)/regress/setuid-allowed.c
49+regress/setuid-allowed$(EXEEXT): libssh.a
50 [ -d `pwd`/regress ] || mkdir -p `pwd`/regress
51 [ -f `pwd`/regress/Makefile ] || \
52 ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
53- $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
54+ $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $(srcdir)/regress/setuid-allowed.c \
55 $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
56
57 tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT) regress/setuid-allowed$(EXEEXT)
diff --git a/meta/recipes-connectivity/openssh/openssh/run-ptest b/meta/recipes-connectivity/openssh/openssh/run-ptest
new file mode 100755
index 0000000..3e725cf
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/run-ptest
@@ -0,0 +1,7 @@
1#!/bin/sh
2
3export TEST_SHELL=sh
4
5cd regress
6make -k .OBJDIR=`pwd` .CURDIR=`pwd` tests \
7 | sed -e 's/^skipped/SKIP: /g' -e 's/^ok /PASS: /g' -e 's/^failed/FAIL: /g'
diff --git a/meta/recipes-connectivity/openssh/openssh/ssh_config b/meta/recipes-connectivity/openssh/openssh/ssh_config
new file mode 100644
index 0000000..4a4a649
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/ssh_config
@@ -0,0 +1,46 @@
1# $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $
2
3# This is the ssh client system-wide configuration file. See
4# ssh_config(5) for more information. This file provides defaults for
5# users, and the values can be changed in per-user configuration files
6# or on the command line.
7
8# Configuration data is parsed as follows:
9# 1. command line options
10# 2. user-specific file
11# 3. system-wide file
12# Any configuration value is only changed the first time it is set.
13# Thus, host-specific definitions should be at the beginning of the
14# configuration file, and defaults at the end.
15
16# Site-wide defaults for some commonly used options. For a comprehensive
17# list of available options, their meanings and defaults, please see the
18# ssh_config(5) man page.
19
20Host *
21 ForwardAgent yes
22 ForwardX11 yes
23# RhostsRSAAuthentication no
24# RSAAuthentication yes
25# PasswordAuthentication yes
26# HostbasedAuthentication no
27# GSSAPIAuthentication no
28# GSSAPIDelegateCredentials no
29# BatchMode no
30# CheckHostIP yes
31# AddressFamily any
32# ConnectTimeout 0
33# StrictHostKeyChecking ask
34# IdentityFile ~/.ssh/identity
35# IdentityFile ~/.ssh/id_rsa
36# IdentityFile ~/.ssh/id_dsa
37# Port 22
38# Protocol 2,1
39# Cipher 3des
40# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
41# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
42# EscapeChar ~
43# Tunnel no
44# TunnelDevice any:any
45# PermitLocalCommand no
46# VisualHostKey no
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd b/meta/recipes-connectivity/openssh/openssh/sshd
new file mode 100644
index 0000000..4882e58
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/sshd
@@ -0,0 +1,10 @@
1#%PAM-1.0
2
3auth include common-auth
4account required pam_nologin.so
5account include common-account
6password include common-password
7session optional pam_keyinit.so force revoke
8session include common-session
9session required pam_loginuid.so
10
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.socket b/meta/recipes-connectivity/openssh/openssh/sshd.socket
new file mode 100644
index 0000000..12c39b2
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/sshd.socket
@@ -0,0 +1,10 @@
1[Unit]
2Conflicts=sshd.service
3
4[Socket]
5ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd
6ListenStream=22
7Accept=yes
8
9[Install]
10WantedBy=sockets.target
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd@.service b/meta/recipes-connectivity/openssh/openssh/sshd@.service
new file mode 100644
index 0000000..bb2d68e
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/sshd@.service
@@ -0,0 +1,11 @@
1[Unit]
2Description=OpenSSH Per-Connection Daemon
3Wants=sshdgenkeys.service
4After=sshdgenkeys.service
5
6[Service]
7ExecStart=-@SBINDIR@/sshd -i
8ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID
9StandardInput=socket
10StandardError=syslog
11KillMode=process
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config b/meta/recipes-connectivity/openssh/openssh/sshd_config
new file mode 100644
index 0000000..4f9b626
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/sshd_config
@@ -0,0 +1,119 @@
1# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
2
3# This is the sshd server system-wide configuration file. See
4# sshd_config(5) for more information.
5
6# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
7
8# The strategy used for options in the default sshd_config shipped with
9# OpenSSH is to specify options with their default value where
10# possible, but leave them commented. Uncommented options change a
11# default value.
12
13#Port 22
14#AddressFamily any
15#ListenAddress 0.0.0.0
16#ListenAddress ::
17
18# Disable legacy (protocol version 1) support in the server for new
19# installations. In future the default will change to require explicit
20# activation of protocol 1
21Protocol 2
22
23# HostKey for protocol version 1
24#HostKey /etc/ssh/ssh_host_key
25# HostKeys for protocol version 2
26#HostKey /etc/ssh/ssh_host_rsa_key
27#HostKey /etc/ssh/ssh_host_dsa_key
28
29# Lifetime and size of ephemeral version 1 server key
30#KeyRegenerationInterval 1h
31#ServerKeyBits 1024
32
33# Logging
34# obsoletes QuietMode and FascistLogging
35#SyslogFacility AUTH
36#LogLevel INFO
37
38# Authentication:
39
40#LoginGraceTime 2m
41#PermitRootLogin yes
42#StrictModes yes
43#MaxAuthTries 6
44#MaxSessions 10
45
46#RSAAuthentication yes
47#PubkeyAuthentication yes
48#AuthorizedKeysFile .ssh/authorized_keys
49
50# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
51#RhostsRSAAuthentication no
52# similar for protocol version 2
53#HostbasedAuthentication no
54# Change to yes if you don't trust ~/.ssh/known_hosts for
55# RhostsRSAAuthentication and HostbasedAuthentication
56#IgnoreUserKnownHosts no
57# Don't read the user's ~/.rhosts and ~/.shosts files
58#IgnoreRhosts yes
59
60# To disable tunneled clear text passwords, change to no here!
61#PasswordAuthentication yes
62#PermitEmptyPasswords no
63
64# Change to no to disable s/key passwords
65#ChallengeResponseAuthentication yes
66
67# Kerberos options
68#KerberosAuthentication no
69#KerberosOrLocalPasswd yes
70#KerberosTicketCleanup yes
71#KerberosGetAFSToken no
72
73# GSSAPI options
74#GSSAPIAuthentication no
75#GSSAPICleanupCredentials yes
76
77# Set this to 'yes' to enable PAM authentication, account processing,
78# and session processing. If this is enabled, PAM authentication will
79# be allowed through the ChallengeResponseAuthentication and
80# PasswordAuthentication. Depending on your PAM configuration,
81# PAM authentication via ChallengeResponseAuthentication may bypass
82# the setting of "PermitRootLogin without-password".
83# If you just want the PAM account and session checks to run without
84# PAM authentication, then enable this but set PasswordAuthentication
85# and ChallengeResponseAuthentication to 'no'.
86#UsePAM no
87
88#AllowAgentForwarding yes
89#AllowTcpForwarding yes
90#GatewayPorts no
91#X11Forwarding no
92#X11DisplayOffset 10
93#X11UseLocalhost yes
94#PrintMotd yes
95#PrintLastLog yes
96#TCPKeepAlive yes
97#UseLogin no
98UsePrivilegeSeparation yes
99#PermitUserEnvironment no
100Compression no
101ClientAliveInterval 15
102ClientAliveCountMax 4
103#UseDNS yes
104#PidFile /var/run/sshd.pid
105#MaxStartups 10
106#PermitTunnel no
107#ChrootDirectory none
108
109# no default banner path
110#Banner none
111
112# override default of no subsystems
113Subsystem sftp /usr/libexec/sftp-server
114
115# Example of overriding settings on a per-user basis
116#Match User anoncvs
117# X11Forwarding no
118# AllowTcpForwarding no
119# ForceCommand cvs server
diff --git a/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
new file mode 100644
index 0000000..c21d70b
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
@@ -0,0 +1,10 @@
1[Unit]
2Description=OpenSSH Key Generation
3ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
4ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key
5ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key
6
7[Service]
8ExecStart=@BINDIR@/ssh-keygen -A
9Type=oneshot
10RemainAfterExit=yes
diff --git a/meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd b/meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd
new file mode 100644
index 0000000..a0d2af3
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd
@@ -0,0 +1,2 @@
1d root root 0755 /var/run/sshd none
2f root root 0644 /var/log/lastlog none